Zero Day Initiative Advisory 11-303

Zero Day Initiative Advisory 11-303 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Quicktime handles H.264 streams. When parsing the Sequence Parameter Set data for a H.264 stream it reads the frame cropping offset fields. When those fields contain incorrect data Quicktime will eventually write outside the buffer allocated for the movie stream. This can result in remote code execution under the context of the current user.

-- Vulnerability Details:This vulnerability allows remote attackers to execute arbitrary code onvulnerable installations of Apple Quicktime. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.

The specific flaw exists within the way Quicktime handles H.264 streams.When parsing the Sequence Parameter Set data for a H.264 stream it readsthe frame cropping offset fields. When those fields contain incorrectdata Quicktime will eventually write outside the buffer allocated forthe movie stream. This can result in remote code execution under thecontext of the current user.

-- Vendor Response:

Apple has issued an update to correct this vulnerability. More detailscan be found at:

-- About the Zero Day Initiative (ZDI):Established by TippingPoint, The Zero Day Initiative (ZDI) representsa best-of-breed model for rewarding security researchers for responsiblydisclosing discovered vulnerabilities.

Researchers interested in getting paid for their security researchthrough the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information isused. TippingPoint does not re-sell the vulnerability details or anyexploit code. Instead, upon notifying the affected product vendor,TippingPoint provides its customers with zero day protection throughits intrusion prevention technology. Explicit details regarding thespecifics of the vulnerability are not exposed to any parties untilan official vendor patch is publicly available. Furthermore, with thealtruistic aim of helping to secure a broader user base, TippingPointprovides this vulnerability information confidentially to securityvendors (including competitors) who have a vulnerability protection ormitigation product.